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A PRACTICAL APPROACH TO IMPLEMENTING REAL-TIME SEMANTICS 


(JERALD LUTTGEN*, GIRISH BHAT f , AND RANGE CLEAVELAND+ 


Abstract. This paper investigates implementations of process algebras which are suitable for modeling 
concurrent real-time systems. It suggests an approach for efficiently implementing real-time semantics using 
dynamic priorities. For this purpose a process algebra with dynamic* priority is defined, whose semantics 
corresponds one-to-one to traditional real-time 1 semantics. The advantage of the dynamic-priority approach 
is that it drastically reduces the state-space sizes of the systems in question while preserving all properties 
of their functional and real-time behavior. 

The utility of the technique is demonstrated by a case study which deals with the formal modeling and 
verification of the SCSI-2 bus-protocol. The case study is carried out in the Concurrency Workbench of North 
Carolina , an automated verification tool in which the process algebra with dynamic priority is implemented. 
It turns out that the state space of the bus-protocol model is about an order of magnitude smaller than the 
one resulting from real-time semantics. The accuracy of the model is proved by applying model checking for 
verifying several mandatory properties of the bus protocol. 
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1. Introduction. A variety of formal approaches have been introduced for modeling and verifying 
concurrent and distributed systems, many of which are based on a common scheme consisting of three basic 
components, as depicted in Figure 1.1: a specification language, a semantic model, and a verification method. 
Specification languages provide a syntactic means for describing (abstractions of) real-world systems and 
can be of graphical nature (e.g., Statecharts [19]), term-based (e.g., process algebras [21, 27]), or variants of 
logics (e.g., monadic logics [18]). Figure 1.1 illustrates the different looks and feels of these languages by a 
small example modeling the behavior of a simple one-place buffer, which cyclically offers communications 
on ports in and out. Many specification languages have in common that their semantics is given in terms 
of operational models. More precisely, syntactic models are compiled to (labeled) transition systems which 
describe the real-world system’s operational behavior. Transition systems provide a convenient structure 
on which many verification methods, such as simple reachability analyses - which allow for analyzing, e.g., 
deadlock behavior and more advanced techniques, such as model- checking [10], work. However, only with 
the advent of verification tools [15, 20, 22, 25] in the last decade 1 have formal approaches emerged as practical 
aids for system designers [2, 14, 17]. 
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Fig. 1.1. A typical verification frimework. 


This paper addresses the problem of modeling and verifying concurrent systems where real-time plays an 
important role for their functional behavior. On the one hand, real-time is often used to implement synchro- 
nization constraints in distributed environments. As an example of a synchronization constraint, consider 
a communication protocol where the next protocol phase may only be entered if some or all components 
agree. On the other hand, electric phenomena, e.g., wire gliUhes that may lead to malfunction, can be 
avoided using deskew delays . Thus, for accurately modeling th )se systems it is necessary to capture their 
real-time aspects, thereby motivating the need for real-time specification languages, such as real-time pro- 
cess algebras [28, 29], and for their efficient implementation. E>isting implementations of real-time process 
algebras typically cause state spaces to explode, thereby making many verification methods impracticable. 
The reason for the state explosion is that time is considered as part of the state, i.e., a new state is generated 
for every clock tick. We tackle this problem by using dynamic priorities to model real-time. We introduce 
a new process algebra, called CCS dp ( Calculus of Communicating Systems with dynamic priority ), which es- 
sentially extends the Calculus of Communicating Systems (CCS) [27] by assigning priority values to actions . 
Unlike conventional process algebras with priority [9, 11, 12], actions in our algebra do not have fixed or 
static priority values; they may change as systems evolve. It is in this sense that we refer to CCS dp as a 
process algebra with dynamic priority. In contrast to traditional real-time process algebras, e.g., a variation 
of Temporal CCS [28] which we refer to as CCS rt ( CCS with real-time ), the semantics of CCS dp interprets 
delays preceding actions as priority values attached to these actions, i.e., the longer the delay preceding 
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an action, the lower is its priority. CCS dp semantics avoids the unfolding of delay values into sequences of 
elementary steps, each consuming one time unit, thereby providing a formal foundation for efficiently imple- 
menting real-time semantics. The soundness and completeness of this technique is proved by establishing a 
one-to-one correspondence between CCS dp and CCS rt semantics in terms of bisimulation [27] and temporal 
logics [10]. It is important to note that our approach does not abstract away any aspects of real-time. Thus, 
all quantitative timing explicit in CCS rt semantics can still be analyzed within CCS dp semantics. 

The utility of our technique is shown by means of a real-world example, namely modeling and verifying 
several aspects of the bus protocol of the Small Computer System Interface (SCSI), a protocol used in many 
of today’s computers. The protocol’s model is derived from the official ANSI standard [1], where real-time 
delays are recommended for implementing synchronization constraints as well as for ensuring correct behavior 
in the presence of signal glitches. An accurate model of the SCSI-2 bus-protocol thus requires to consider 
real-time. To this end, we model the protocol in the syntax common to both CCS rt and CCS dp . We then 
generate the state spaces according to both semantics and show that the size of our model is an order of 
magnitude smaller in CCS dp semant ics than in CCS rt semantics. The modeling of the protocol was carried out 
in the Concurrency Workbench of North Carolina [16], CWB-NC, a tool for analyzing and verifying concurrent 
systems. In order to testify to the accuracy of our modeling, we extract several mandatory properties of 
the bus protocol and specify them in the modal fi- calculus [24]. We then use the local model checker [4] 
integrated in the CWB-NC for automatically validating the properties under consideration. 

The remainder of this paper is organized as follows. The next section presents our process-algebraic 
framework including the real-time process algebra CCS rt and the process algebra CCS dp with dynamic priority. 
The one-to-one relationship between CCS dp and CCS rt semantics is established in Section 3. An overview 
of the SCSI-2 bus and its protocol is given in Section 4, whereas Section 5 describes its modeling in our 
language. Some properties of the bus protocol are formalized and checked for our model in Section 6. The 
following section discusses our approach and compares it to related work. Section 8 contains our conclusions 
and directions for future work. Finally, the complete model of the bus protocol can be found in the appendix. 

2. Process- Algebraic Framework. In this section we introduce the process algebra CCS rt inspired 
by [28] and develop the process algebra CCS dp , which has the same syntax but different semantics. Whereas 
CCS rt is an extension of CCS [27] in order to capture discrete quantitative timing aspects with respect to a 
single, global clock, CCS dp extends CCS by a concept of dynamic priority. 

2.1. Syntax of our Language. The syntax of CCS* and CCS dp differs from CCS by associating delay 
and priority values with actions, respectively. Moreover, we include the disabling operator [}, known from 
LOTOS [5], which allows for a more compact notation of the bus-protocol model. Formally, let A be a 
countable set of action labels or ports , not including the so-called internal or unobservable action r. With 
every a E A we associate a complementary action a. Intuitively, an action a E A may be thought of as 
representing the receipt of an input on port «, while a constitutes the deposit of an output on a. We define 
A = df {7i | a E A} and take A to denote the set of all actions AuAUjr}. In what follows, we let a, range 
over A U A and a, 3, . . . over .4. Complementation is lifted to actions in A U A, also called visible actions, 
by defining a — d f a. As in CCS an action a communicates with its complement a to produce the internal 
action r. In our syntax actions are associated with delay values , or priority values, taken from the set of 
natural numbers N. More precisely, the notation a : k, when' c\ E A and k E N, specifies that action a is 
ready for execution after a minimum, delay of k time units or, respectively, that action a possesses (at most) 





priority k. In the priority interpretation, smaller numbers encoie higher priority values; so 0 represents the 
highest priority- The syntax of our language is defined by the I INF 

P ::= 0 | x | a.k.P \ P + P \ P|)P \ P\P \ P[f } \ P\L \ px.P 

where k £ N, the mapping / : A A is a relabeling , L C A N {r } is a restriction set , and j* is a variable 
taken from some countable domain V. A relabeling / satisfie? the properties f(r) = r and /(a) = /(a). 
If /(a/) = A for 1 < * < n and n £ N, and /(a) = a for all a ^ a*, where 1 < ?' < n, we also write 

[AA*i<A>A >2 Ai A*n] for /. We adopt the usual definitions for free and bound variables, open and 

dosed terms, and guarded recursion, and refer to the closed and guarded terms as processes [27]. The 
syntactic substitution of all free occurrences of variable x by term Q in term P is symbolized by P[Q/x ], 
and syntactic equality by =. Finally, we let V, ranged over by p , Q, , denote the set of all processes. 


2.2. Real-Time Semantics. This section introduces a real-time semantics to our language in this 
context referred to as CCS rt semantics which explicitly represents timing behavior. Formally, the seman- 
tics of a process is defined by a labeled transition system whic h contains explicit clock transitions each 
representing a delay of one time unit as well as action transitions . With respect to clock transitions, the 
operational semantics is set up such that processes willing to communicate with some process running in 
parallel are able to wait, until the communication partner is ready. However, as soon as it is available the 
communication has to take place, i.e., further idling is prohibited. This assumption is usually referred to as 
maximal progress assumption [29] or synchrony hypothesis [3] ai d employed in many successful specification 
language's, including Statecharts [19] and Esterel [3]. 

Formally, the labeled transition system for a process P is .1 four-tuple (P.A U {1},» — >,P) where V is 
the set of states , *4U{1} is the alphabet satisfying 1 ^ A, > — > is the transition relation , and P represents the 
start state. The transition relation 1 — » C V x (AU { 1 } ) x V is defined in Tables 2.1 and 2.2 using operational 
rules. For the sake of simplicity, let us use 7 as a representati\e of *4 U {1} and write P > P' instead of 
(P, 7, P') £ 1 — >. We say that P may engage in transition 7 and thereafter behave, like process P' . If 7 = 1 
we speak of a clock transition, otherwise of an action transition. Sometimes it is convenient to abbreviate 
3P f £ V . P t— > P' by P In order to ensure maximal progress our semantics is set up in a way such that 
P *-7^ whenever P i.e., clock transitions are prevented as long as P can engage in internal computation. 


Table 2.1 

Operational semantics for CCS rt act on transitions. 


Act 


Rel 


a : O.P P 
PAA P f 
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Disl 


Coml 
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A P> 
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+ P f 

P[>Q ^ 

* P'iQ 

PAA> p' 

P\Q 

P'\Q 


Sum2 


Dis2 


P + Q Q’ 

Q^>Q' 

PDQ-4Q' 


Com2 


P\Q >— ■> P\Q' 


Rec 


P[px.P/x] AA P f 
pX.P AA P' 


P aa P’ _ 

Res a 4 L U L 

P\L AA P'\L 

PAAP' qAAq' 


Com3 


P\Q A^y P'\Q> 


Intuitively, process a:fc.P, where k > 0, may engage in a dock transition and then behave like process 
a : (k - 1).P. Process a :0.P performs an a-transition to state P and, if a ^ r, it may also idle by performing 
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Table 2.2 

Operational semantics for CCS rt clock transitions. 


tNil 



tSum 


P + Q -V P’ + Q' 


tRec 


P\fix.P/x] 1-4 P' 
ttx.p hA P' 


tActl 


a:U.P i — ► cr.O.P 


tAct2 


a:k.P^a:(k-l).P 
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tDis P 

pDQhA P'DQ' 


tRel 


P' 


/’[/] P'1/] 


tCom PjAP_Ql^ P |g^ 

p|g i-U P'|g' 

p - -Up' 


tRes 


P\L 1-4 P'\L 


a dock transition to itself. The summation operator + denotes non- deterministic choice, i.e., P + Q may 
either behave like P or Q. However, time has to proceed equally on both sides of summation. Hence, P 4 - Q 
can engage in a clock transition and delay the choice if and only if both P and Q can engage in a clock tick. 
Process P\}Q, involving the disabling operator [), has the same semantics for clock transitions. For action 
transitions it behaves like P and, additionally, it is capable of disabling P by engaging in Q. The restriction 
operator \L prohibits the execution of actions in LUL and thus permits the scoping of actions. P[f] behaves 
exactly as P where actions an 1 renamed by the relabeling /. Process P\Q stands for the parallel composition 
of P and Q according to an interleaving semantics with synchronous communication on complementary 
actions resulting in the internal action r. Similar to summation and disabling, P and Q must synchronize 
on clock transitions according to Rule (tCom). Its side condition ensures maximal progress, i.e., there is no 
pending communication between P and Q . Finally, / tx.P denotes a recursive process that is a distinguished 
solution of the equation x — P. Our semantics satisfies the following properties. 

Proposition 2.1. Let P,P',P” £ P. Then : (i) P implies P [idling], (it) P implies 
P [maximal progress], and (in) P P* and P P n implies P l = P" [time determinacy] . 

The validity of Part (i) is a consequence of the idling capability of 0 and o : k.P. for k > 0 or a =£ r. 
Properties (ii) and (iii) can be checked by inductions on the structure of P arid on the maximum of the 
depths of the derivation trees of P P f and P P”, respectively. For CCS rt a semantic theory based 
on bisimulation [27] has been developed. In this paper we restrict ourselves to strong bisimulation. 

Definition 2.2 (Temporal Bisimulation). A symmetric relation JZ C V x V is called temporal 
bisimulation if for every P f £ V, {P, Q) £ 7Z and 7 £ A U {1} the following holds: P t— » P f implies 
3Q l .Q 1 — -T Q f and (P^Q 1 ) £ 7Z. We write P Q if (P,Q) € TZ for some temporal bisimulation 7 v. 

The behavioral relation ~ rt , which can be shown to be an equivalence, enjoys several pleasant properties. 
The most important one is the congruence property, which gives rise to compositional reasoning since it 
allows the substitution of “equals for equals” inside larger systems. Note that temporal bisimulation requires 
equivalent processes to match each others behavior exactly, including their timing behavior. 

Unfortunately, CCS rt semantics unfolds delay values into sequences of elementary time units, thereby 
creating many states. For example, process a:k. 0 has k + 2 states, namely 0 and a :/.0 where 0 < / < A* (cf. 
Figure 3.1 in Section 3). It would be much more efficient if one could represent a :A *.0 by a single transition 
labeled by a : k leading to state 0 . This compactification in the representation of state spaces of real-time 



systems can be implemented by viewing k as a priority value ass gned to a. In other words, one may consider 
the delay value k as the time stamp of action o. In the followii g we elaborate on this idea, 

2,3. Dynamic-Priority Semantics. In order to formalize our intuition we present a new semantics for 
our language that uses a notion of priority taken from [11], generalized to a multi-level priority-scheme [26]. 
We refer to our process algebra as CCS dp when interpreted with respect to the new semantics which, in 
contrast to classical approaches to priority, dynamically adjusts priorities along transitions. Intuitively, 
visible actions represent potential synchronizations that a process may be willing to engage in with its 
environment. Given a choice between a synchronization on a high priority and one on a low priority, a 
process should choose the former. Thus, high-priority r-actions pre-empt low-priority actions. The reason 
that high-priority visible actions do not have pre-emptive power over low-priority actions is that visible 
actions only indicate the potential of a synchronization, i.e., the potential of progress, whereas r-actions 
describe complete synchronizations, i.e., real progress, in our model. Formally, the CCS dp semantics of a 
process P is given by a labeled transition system (P,A x N, — >,P). The presentation of the operational 
rules defining the transition relation — > requires two auxiliary definitions. 

Table 2.3 

Potential initial action sets. 


I = dr {ft| l<k} l k (nx.F) =vI k (P[nx.P/x}) I*(P[/]) =df {/(a) | a 6 I*'(P)} 

I k (P + Q) =df l k (P)Vl k (Q) l k (P\/Q)= d( l k (P)Ul k (Q) l k (P\L)= M l k (P)\(LUL) 
l k {P\Q) =df!*(P) U I k {Q) U {t | l k (P) nF(Q) # 0} 


First, we introduce potential initial action sets which are defined to be the smallest set satisfying the 
equations in Table 2.3. Intuitively, I k (P) denotes the set of all potential initial actions of P having at least 
priority k. For convenience, we abbreviate \J{V(P) | / < k} ly I <k (P). If k > 0, it is easy to see that 
I <k {P) = I *“ l (P). It is also important that the potential initial action sets are defined independently from 
the transition relation — >, so — > is well- defined. The following proposition states that the definition of 
the potential initial action sets is faithful for internal actions, which is fundamental for encoding our desired 
notion of pre-emption. Its proof is analogue to one in [26] wiere similar definitions have been used for 
encoding the same notion of pre-emption within a multi-level static-priority framework. 

PROPOSITION 2.3. For all P e V and a:k e A we have: t £ I <k (P) if and only if fit < k. P -^4. 

Table 2.4 

Priority adjustment fundi m. 


[0]*' 

=<if 0 , {jf =,,f x 


=df 

[P}’ + [Q} k 

[p[f}} k 

=dr [p] k [f\ 

[a:l.P} k 

=df «:(/ - k).P if / > k 

[P)Q] k 

=df 


[■ P\L) k 

= <ir [P) k \L 

[a:l.P} k 

=<jf o :0.P if / < k 


=df 

[P]'\[Q] k 

[px.P] k 

=df [P[fix.P/x)} k 


As second auxiliary for presenting the transition relation v/e define a priority adjustment function as 
shown in Table 2.4. Intuitively, our semantics is set up in a way such that, if one parallel component of a 
process engages in an action with priority k, then the priority values of all initial actions at other parallel 
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components are decreased by k , i.e., these actions become “more important.” Thus, the semantics of parallel 
composition deploys a kind of fairness assumption , and priorities have a dynamic character. The priority 
adjustment function applied to a process P and a natural number k , denoted as [P] A , returns a process 
term which is “identical” to P except that the priorities of its initial actions are decreased by k . The phrase 
“identical” does not mean syntactic equality but syntactic equality up to unfolding of recursion. Formally, 
we let = stand for the smallest congruence which contains = and satisfies the axiom fix.P == P[px.P/x]. 
Our semantics respects = . i.e., P = Q and P -^4 P' implies Q Q f for some Q' £ V satisfying P ' = Q*. 
In the remainder we use this fact silently and write P P ( if Q Q’ for some Q = P and Q* = P'. 

Table 2.5 

Operational semantics for CC5 dp . 


Actl 


T.k.P ^ P 


Act2 


a : k.P -^4 P 


l > k Disl 


Suml - — f r i I <k (Q) 

P + Q —> P' 

P ° p' 


T i I <k (Q) Dis2 


P [}<? 214 P> f[Q]* 


Sum2 Q-=lQ- — r $ I <k (P) 


P + Q ^Q' 


P\)Q ^ Q' 


T $ I <k (P) 


Rec 


P[/ix.P/x] 2^4 P' 
fix.P 2^4 P> 


Coml 


p a p t 


p\Q P'\[QY 


<£l <k (P\Q) Com 2 


Q^Q' 


t i l <k (P\Q) 


P\Q 2^4 [P] k \Q‘ 


Rel 


p 2 : p' 

p[f j f ^ k p'[f\ 


Res 


p n '^'y p ' 

P\L 214 P'\L 


p a '• K p' c) 2 : \ o ' 

o i LUL Com3 - r $ I <A (P|Q) 

P\Q ^ P’\Q' 


The operational rules in Table 2.5 capture the following intuition. Process a : k.P may engage in action 
a with priority / > k yielding process P. The side condition l > /,■ reflects that k does not specify an 
exact priority but the maximal priority of the initial transition of a : k.P. It may also be interpreted as 
lower-bound “timing constraint.” Due to the notion of pre-emption incorporated in CCS dp , r:k.P may not 
perform the r-transition with a lower priority than k. Process P + Q may behave like P ( Q ) if Q ( P ) does 
not pre-empt it by being able to engage in a higher prioritized internal transition. Thus, pre-emption reflects 
implicit upper-bound “timing constraints.” P\Q denotes the parallel composition of P and Q according to 
an interleaving semantics with synchronized communication on complementary actions of P and Q, both 
having the same priority k , which results in the internal action r that is attached with priority value k 
(cf. Rule (Com3)). The interleaving Rules (Coml) and (Com2) encode the dynamic behavior of priority 
values as explained above, with their side conditions implementing pre-emption. The operational semantics 
for disabling , restriction , relabeling , and recursion is as expected. The following proposition, which can be 
proved by structural induction, shows that our notion of pre-emption coincides with our intuition. 

Proposition 2.4. For all P £ V, a £ A , and k € N satisfying P we have r £ I <k (P). 

As for CCS rt , we may adapt a notion of strong bisimulation, referred to as prioritized bisimulation here. 
Prioritized bisimulation is an equivalence that contains = : a property which will be used without mentioning. 

Definition 2.5 (Prioritized Bisimulation). A symmetric relation Tv CP x V is called prioritized 
bisimulation if for every P 1 £ V , (P, Q) £ Tv, a £ A. and k £ N the following holds: P P ' implies 
3Q‘.Q Q f and (P',Q f ) £ 7Z. We write P ~ dp Q if (P, Q) £ 1Z for some prioritized bisimulation P. 



2.4. Implementing CCS dp and CCS rt Semantics. For b )th process algebras, CCS dp and CCS rt , front- 
ends for the Concurrency Workbench of Norik Car olina (CWB-NC) [16] have been created by using the Process 
Algebra Compiler (PAC) [13], a “meta-compiler” developed for im erfacing the CWB-NC to new process algebras. 
Whereas the implementation of CCS rt is straightforward, we needed some more effort regarding CCS dp . The 
reason is that Rule (Act2) of CCS dp semantics gives rise to potentially infinite-branching transition systems 
since priority value l in its side condition ranges over all natural numbers greater or equal than k. Fortunately, 
this problem can be eliminated for all practical purposes. One possibility is to provide an upper bound 
upper reflecting the maximal priority value of any action occurring in the process under consideration. The 
validity of this solution stems from the fact that a higher priority value than upper has no effect on the 
process’ semantics since priority values cannot be adjusted to a value below zero. This idea is refined in our 
implementation of CCS dp semantics as follows. Instead of choosing a value upper with respect to the overall 
process, we determine this value with respect to the particular system state in which the process under 
consideration is currently in. As a consequence, the number of transitions of a process according to CCS dp 
semantics is always less than or equal to the number of transitions with respect to CCS rt semantics. Finally, 
we want to point out that these solutions somehow touch on the compositionality of the implemented CCS dp 
semantics. If a system is combined with another one having a greater upper priority value, additional system 
behavior is possible. However, already computed parts of the semantics need not to be re-computed. 

3. Relating CCS dp and CCS rt Semantics. In this section we show that CCS dp and CCS rt semantics are 
closely related. The underlying intuition is best illustrated by a simple example dealing with the prefixing 
operator. Figure 3.1 depicts the dynamic-priority and real-time semantics of the process a : k. 0. Both 
transition systems intuitively reflect that the process a:k. 0 must at least delay k times before it may engage 
in an u-trausition. According to CCS rt semantics, this process consecutively engages in k time steps passing 
the states a : (k — i).0, for 0 < i < k\ before it may either continue idling in state a : 0.0 or engage in an 
u-transition to the inaction process 0. Thus, time is explicit!; part of states and made visible by clock 
transitions each representing a step of one time unit. In contrast, CCS dp semantics encodes a delay of at 
least k time units in transitions rather than in states. Hence, it just possesses the states a : k.Q and 0 
connected via transitions labeled by a:/, for / > k. Although it seems at first sight that the price for saving 
intermediate states is to be forced to deal with infinite branching, an upper bound of l can be provided as 
discussed in the previous section. In our example this upper bound is k itself, since a delay by more than 
k time units only results in idling and does not enable new or e isable existing system behavior. Therefore, 
the dynamic-priority transition system of a: A.O just consists of the two states a:k . 0 and 0 and a symbolic 
transition labeled by a :k. whereas the real-time transition systei i possesses A + 2 states and k + 2 transitions. 
This simple example clearly suggests that CCS dp semantics resul s in much more compact models than CCS rt 
semantics. 

The following paragraphs aim at proving a one-to-one correspondence between the two semantics such 
that CCS dp semantics can be understood as an efficient encoc ing of CCS rt semantics. To this end, one 
also needs to make sure that the notion of pre-emption employed in CCS dp reflects the notion of maximal 
progress adopted in CCS rt . Before making the relationship be’ ween both semantics precise we first state 1 
an important lemma whose last part presents the connection between clock transitions and the priority 
adjustment function. In this lemma, the symbol stands for k consecutive clock transitions. 

LEMMA 3.1. For all P. P l € V and all k,l € N the following holds: (i) [P]° = P and [[P]*]* == 

(ii) I A '([P]') = I k+l (P), and (in) P ^Vp' if and only if P' = [P] k and r $ I« (P). 


s 



dynamic-priority semantics 


real-time semantics 


a:k.O a:k.O 



Fig. .‘1.1. Relating CCS dp and CCS rt semantics. 


Proof. Part (i) follows immediately from the definitions of the adjustment function and of =. For the 
other parts let P, P' E V and A:, l £ N. 


Part (ii) is proved by induction on the structure of P. 

1. P = 0: I*' ([Of) = I* (0) = 0 = I* +, (0) by our definitions. 

2. P = ar.m.Q: I*([a:m.Q]') 

I k (a:(m — l).Q) if m > l 


(definition of [•]’) — 

(definition of I(-) and A' > 0) — 

(definition of !'(*)) — 


l k (q : O.Q) otherwise 

{a} if (in — l < A: and m > /) or m < I 
0 otherwise 

{a} if m < A* + / 

0 otherwise 

I A+/ (a :m.Q) 


3. P = Qi\(h : 

(definition of [•]') 
(definition of I (•)) 
(induction hypothesis) 
(definition of I (*)) 


= i*([gi]') u i*([q 2 ]') u {r 1 1‘agi]') n P([g,f ) / 0} 
= i*+'(g, ) u i* + '(g->) u {r | i k+ '((h ) n i*+'(g 2 ) # 0} 
= i fr+, (g,|g 2 ) 


The other cases are easier to establish than the ones above and. therefore, are omitted. As a simple 
corollary, which is needed in the proof of Part (iii) and immediately follows from the definition of 
potential initial action sets, one may conclude I <Ar ([P] / ) = I <k + l (P), whenever k > 0. 

• We prove* Part (iii) by induction on k. The case k = 0 is trivial. Therefore, we directly consider the 
statement for A* = 1. For the “ only if " direction one may observe that P P ( implies Pi-^ by 
Proposition 2.1(h), i.e., r ^ l <l (P), bv Proposition 2.3. Thus, it remains to establish that P' == [P] 1 , 
for which we use structural induction on P. 

1. P = a:k.Q: a:k.Q t— > P f implies k > 0 or (A: = 0 and a ^ r) according to CCS rt semantics. 
In the former case we have P' = o : (A’ — 1).Q = [a:k.Q] ] by the definition of the adjustment 
function. In the latter case we obtain P' = o :0.Q = [a:A\<y] 1 , as desired. 

2. P = Qi\Q-> *-4 P' implies Qi h-4 Q\, Q 2 Q' 2 , and P' = Q\\Q' 2 for some 

Q\ '■ Q '2 € V. By induction hypothesis we may conclude Q\ = [Q1] 1 and Q l 2 = [Q2] 1 * Hence, 
P f = Q\\Q*2 == [Q\Y\[Q->] } = [Qi IQ2] 1 bv the definition of the adjustment function. 
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The other cases follow bv similar reasoning. For the ‘if ” -direction let r ^ I <1 (P), i.e., by 

Proposition 2.3. Hence, P i-4 P' for some P' E V according to Proposition 2.1(i). Moreover, we 
have 1 P' == [P] 1 by the “only if' 5 -direction of this proof part. 

For the induction step let k > 1. Then, we have P >— 4 A ' +1 P' jf anc ] on |y jf p p" ^L+kpt f or 
some P" € P. By induction hypothesis and Part (iii) ior A* = 1 this is exactly the case if and only 
if P' = [P"] A \ r £ I <A (P"), P” = [P] 1 . and r £ F^P), i.e.. P' = [P] A ’ +1 and r £ I <A ' +1 (P) by 
Parts (i) and (ii), respectively. 

This finishes the proof of the lemma. □ 

Now, we are able to state and prove a main result. 

Proposition 3.2 (One-to-one Correspondence). Let P, P E V and a:k E .4 x N. Then P -^4 P' if 
and only if 3P" € V. pJ^ k P" ^4 P'. 

Proo/. Let P, P' E P and A* E N. According to Lemma 3.1(iii). it is sufficient to show that [P] k P f 

and r ^ I <A (P) if and only if P -^4 PL The proof is done by induction on the structure of P. 

1. P = 0: Here, our statement trivially holds since 0 cam ot engage in any transition. 

2. P = n :/.P': According to CCS rt semantics, [a:/.P'] A ' i-L-t P' is valid if [qi/.P] 4 * = a:0.PL which is 

exactly the case if k > l . Since r ^ I <A ‘(P) we know A* = = / if a = r. Hence, a:l.P l P' by CCS dp 
semantics. Reversely, a : LP' *^4 P l implies A* > /, if a ^ r, and k = L otherwise, according to 
CCS dp semantics. Thus, [a :/.P'] A ‘ = o:().P' and a :0.P' P f by the definitions of the adjustment 

function and of CCS rt semantics. Finally, r ^ I <A ’(a :/./') since a = r implies k ~ L 

3. P = Q i + g 2 .' By CCS rt semantics, the definitions of tin adjustment function and of potential initial 

action sets, and Proposition 2.4 we obtain [Q { + g 2 ] A ‘ = [Q\] k + [Q 2 ] k P' and r £ l <k {Q\ + <5*2 ) 
if and only if ([Qi] A P ( or [g 2 ] A ‘ ► P') and r ^ I cfc (CM Ul <A: (g 2 ). By induction hypothesis 

and Proposition 2.4 this is exactly the case if (Q x — - P' and r £ I <A ’(<52)) or (<52 -^4 P' and 
r £ I <A (<5i)), which holds if and only if Q\ + g 2 -^4 P' according to CCS dp semantics. 

4. P = Qi\Q->: Let [Qi|Q 2 ] A = [Qi] A |[C? 2 ]* *— > P / (already exploiting the definition of the adjustment 
function) and r I <A ‘(C?i IQs)- According to the sema flies for parallel composition, we may split 
this case into the following three sub-cases. 

(a) [<5 i] a * Q ( for some Q ' E V and P' = Q'KQ*]*- Since r £ I <A (Qi |g 2 ) implies r g I <A ’(Qi ) by 
the definition of potential initial action sets, we may apply the induction hypothesis to conclude 
Qi -^4 Q‘- This is exactly the case if Q\\Q 2 ^4 <)'|[Q 2 ] A ' = P' according to CCS dp semantics 
and the fact that r $ I <A (Qi|< 52 )* 

(b) [g 2 ] fr t-^4 for some E P and P' = [<5i] A ’|<5 r * This case can he shown in a symmetric 
fashion to the previous one. 

(c) a = r. [gi] A g' ? an d [g 2 ] A ‘ gf, f or solI e a € A\ {r} and Q \ , Q* 2 E P such that 
P' = g'x igL- Because of the premise r £ I <A ’(QiKM we know r £ I <A '(Qi) and r £ I <A ’(Qo)- 
Thus, the induction hypothesis implies gi -^4 g^ and Q 2 -^4 g 2 , and also r £ I <A ’(Qi IQ-i)- 
According to CCS dp semantics, this is equivalent to <5i|Q-> ~4 Q\ \ Q’ 2 = P\ as desired. 

The remaining cases are (easier to establish and, therefore, are onitted. □ 

This proposition explicitly reflects our intuition of the meaning ( f a natural number attached to an action in 
both calculi. Whereas in CCS rt we interpret a : A* as the action a which is enabled after a delay of (at least) 
k time units, the value k indicates the level of urgency of a in CCS dp . 
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3.1. Bisimulation Correspondence. The correspondence between CCS dp and CCS rt semantics re- 
flected in Proposition 3.2 is the key for proving the next theorem. 

THEOREM 3.3 (Bisimulation Correspondence). Let P.Q £ V. Then P ~ dp Q if and only if P Q. 

Proof We first prove the “if " direction by showing ~ rt to be a prioritized bisimulation. Let P. P' , Q E 7\ 
a E A , and k e N satisfying P -^4 P } . By Proposition 3.2 we may conclude the existence of some P n E P 
such that P A+ k P" 44 P'. Since P ~ rt Q there exist some Q'.Q" € V satisfying Q hE 44 Q'. 
P n ~ rt and P f ~ rt Q\ which can be formally derived by a straightforward induction on k and the 
definition of ~ rt . Proposition 3.2 now implies Q -^-4 Q\ as desired. For the “ only if direction it is 
sufficient to show that R t = d f {([T*]*, [Q] A ) | P ^d P Q , r ^ I <A ‘(P). r £ I <A (Q)< and A* E N} is a temporal 
bisimulation. Note that {P-Q) G 7?^ by choosing k = 0 (of. Lemma 3. 1 (i) and the fact that I <0 (*) = 0)- Let 
([P ] k , [<y] A ) G Rt for some arbitrary A; E N, i.e., P ~ dp Q , r ^ I <A '(P), and r ^ I <A ’(Q)- 

First, consider [P] k 44 P' for some P' £ P. Because of r £ I <A (P) we conclude P h-4' [P] a 44 P' by 
Lemma 3.1 (iii). Hence, P — ^ p' according to Proposition 3.2. Since P ~ dp Q we know of the existence of 
some Q' £ V such that Q ^4 Q' and P' ~ dp Q'. Now, we use Proposition 3.2 and Lemma 3.1 (iii) again in 
order to obtain [Q] k A — >■ Q*. Moreover, ([P'] 0 , [Q']°) G Rt can be derived from P’ ~ dp Q ( . as desired. 

Second, let [P] k P* for some P* E V. Hence, [P] k bv Proposition 2.1(ii), i.e., r £ I < 1 ( [/^] A ) = 

I<*+i(P) Proposition 2.3 and Lemma 3.1(iii), and P' = [P] A ’ +1 by Lemmas 3.1 (i) and 3. 1 ( iii) . From the 

first case we know [Q) k i.e., r ^ — l <k+] (Q) according to Proposition 2.3 and Lemma 3 . 1 (iii) . 

Now, Lemma 3. 1 (iii) is applicable, and [Q] k >— — >■ [[Q] A ] 1 = [Q] A + 1 holds by Lemma 3.1(i). Moreover, 

([P] A ' +1 , [Q] AH_1 ) G Rf by the definition of R t , which finishes the proof. □ 

As a consequence of this result, prioritized and temporal bisimulation possess the same algebraic properties. 
Especially, we may conclude that prioritized bisimulation is a congruence. 

3.2. Logical Correspondence. CCS dp and CCS rt semantics are logically related, too. This correspon- 
dence can be formally established by using a variant of the modal p-calculus [24] as temporal logic. Its syntax 
is defined by the following BNF. which uses a set of variables V M with X E V fi . 

$ tt | A" | | $ A <J> | (a:k)$ \ 

Formulas are also required to satisfy the following additional constraint: in //Ab4> every occurrence of A” 
in must be inside an even number of negations. Moreover, we define some dual operators: ff — ar ~*tL 
$1 v $2 =df - '( -l $i A - 1 ^ 2)1 [a:A’]$ =af : fc)(-i$), and MA r .$ =<if ^/iAL(-i$[”iA7A’]) 1 where [-uV/A”] 

denotes the substitution of all free occurrences of A by -*X . We also introduce the following abbreviations, 
where KdxN: (L)9 = df \ a:k E L}. <-)$ = df (.4 x N)$, <-!)$ = df ((A xN) \ L)<S>. 

=(\f //A\(4> A [L]A), and (L)*4> = d f //A\($ V {L)A”). Finally, we let T denote the set of all formulas. 

The semantics {$} of a //-calculus formula is defined with respect to an environment a : V fi — > 2 V 
which maps variables to sets of processes. Intuitively, W( a) denotes the set of all processes that satisfy 4> 
under the environment a. Formally, the semantic mapping {•} : (T x £ ) — » 2 V , when' £ stands for the set 
of all environments, is inductively defined over the structure of formulas, as shown in Table 3.1. If 4> is a 
closed formula, its semantics is independent of the environment. In this case, we simply write {$} instead 
of {$}(<r). We say that the process P satisfies property $ if P £ {$}. Intuitively, formula tt is satisfied by 
every process, and the Boolean operators are interpreted as usual. The formula (o :A-)<I> is satisfied by those 
processes that have an a : k successor for which $ holds. Finally, /LV.$ stands for the least solution of the 
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Table 3.1 

Semantics of the modal y-ca -cuius. 


{tt}{a) 

=df v 

{4>i A <F>}(rr) = tI f 

{A'}(<r) 

=<ir a{X) 

{<a :*)<!>} (<x) = df 


=ar 

{/<A\$}(<7) = df 


{*1 }(<■') n 

{P £ ■? I 3P' € V.P P' and P' € {$}(<r)} 
f]{V' ZV\ mcT[P'/X}) C P'} 


equation A' = $ with respect to the Boolean lattice where ff is smaller than tt On the basis of the above 
definitions one can deduce that a process P satisfies [a:A’]4> if all its a : k - derivatives satisfy <t>, and it satisfies 
[L] x <J> if along every process reachable from P via a sequence of transitions labeled with elements of L, the 
formula <t> is valid. Similarly, (L)*$ holds for a process if some sequence of transitions with labels drawn 
from L leads to a process satisfying For CCS rt a version of the /i-c alculus can be obtained by defining the 
semantics of {a:A:)4> as {P € V \ 3P , ,P N ClV.P » -^ k P n P and P f € {4>}(cr)}. As an important result, 

processes satisfy the same formulas, independently if those are interpreted for CCS dp or CCS rt semantics. 

Theorem 3.4 (Logical Correspondence). Let £ T and o e £. Then {<£} df (rr) = {4>} rt (<7). 

Proof. The proof is done by induction on the structure of formula $. The induction base $ = tt holds 
trivially. In the following, we consider the case 4> = of the induction step. 


(definition of {-} dp ) 
(induction hypothesis) 
(Proposition 3.2) 
(definition of {} rt ) 


{(a:fc)^} d p(a) 

{P € V | 3P' € V. P ^ P‘ ;ind P' £ {4»} dp (a)} 

{P 6 V | 3P' € V. P ^4 P‘ itnd P' £ {$} rt (<r)} 

{Per I 3 P',P" £ P. P^ k P” i — ^ P’ and P' £ {*}«(*)} 


The other cases of the induction step are straightforward. □ 

Hence, properties of processes interpreted with respect to CCS dp semantics also hold in the CCS rt interpreta- 
tion, and vice versa. It is worth noting that by leaving out the fi ced point operator fiX we obtain versions of 
the so called Henntssy- Milner logic which characterizes bisimuktion [27]. Since the logical characterizations 
of our bisimulations are not of importance here, we do not investigate them further. 


4. Case Study: The SCSI-2 Bus-Protocol. We demonstrate the utility of our approach to imple- 
menting real-time semantics using dynamic priorities by a case study dealing with the bus protocol of the 
widely-used Small Computer System Interface [1], or SCSI for short. The SCSI bus is designed to provide 
an efficient peer-to-peer I/O connection for peripheral devices such as disks, tapes, printers, etc. It usually 
connects several of these devices with one host adapter which often resides on a computer’s motherboard. In 
contrast to the host adapter, peripherals are not attached directly to the bus but via controllers, also (ailed 
logical units (LUNs). Thus, LUNs provide a physical and logical interface between the bus and the periph- 
erals. Conceptually, up to seven LUNs can be connected to one bus, and one LUN can support up to seven 
peripherals. However, in practice most peripherals contain thei: own SCSI controller (cf. Figure 4.1). The 
SCSI-2 bus-protocol implements the logics regulating how peripherals and the host adapter communicate 
with each other on the bus. Communication on the SCSI bus is point-to-point, i.e., at any time either none 
or exactly two LUNs may communicate among each other. For easy addressing, each LUN is assigned a fixed 
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SCSI id in form of a number ranging from zero to seven. Id 0 is reserved for the host adapter which is also, 
conceptually, a LUN. Communication on the bus is organized by the use of eight signal lines whereas the 
actual information, like messages, commands , data , and status information , are transferred over a data bus. 



Fig. 4.1. Typical SCSI configuration. 



Fig. 4.2. Usual progression of the SCSI-2 bus-phases. 


The SCSI-2 bus-protocol is organized in eight distinct phases: Bus Free, Arbitration. Selection, 
Reselection, Command, Data, Status, and Message phase. At any given time, the SCSI bus is exactly in 
one phase. The usual progression of phases is shown in Figure 4.2. During the Bus Free phase no device 
is in possession of the bus, i.e., LUNs may request access. If more than one device competes for the bus in 
order to initiate a. communication, the one with the highest SCSI id is granted access. In the Arbitration 
phase, every LUN that has posed a request determines if it has won the competition. All LUNs which lose may 
compete for the bus again later, whereas the winner, also referred to as initiator , proceeds to the Selection 
phase. In this phase the initiator tries to connect to the desired destination, called target. When the link 
between initiator and target has been established, the so-called information transfer phases, including the 
Command, the Data, the Status, and the Message phases are entered. In the Command phase the target may 
request a command from the initiator. Data may be transferred between target and initiator in the Data 
phase. During a Message phase information is exchanged between the initiator and the target concerning 
the bus protocol itself. Finally, the Status phase is used to transfer status information to the initiator 
upon completion of a command executed by the target.. The key idea for accelerating communication on the 
bus, which has significantly contributed to the success of SCSI, is that the target can free the bus whenever 
it receives a time- intensive command from the initiator. As soon as the execution of such a command is 
finished, the target competes for the bus in order to transmit the result to the former initiator. As a simple 
example, one may think of the initiator as the host, adapter, of the target as a hard disk, and of the command 
as the request to read a certain block from that hard disk. Since accessing hard disks takes some time, the 
bus can be used for other purposes until the requested block is found and its data is ready for transmission. 

5. Modeling the SCSI-2 Bus-Protocol. In this section we model the SCSI-2 bus-protocol in our 
language as implemented in the CWB-NC. Its syntax slightly departs from the one introduced in Section 2 by 
writing nil for the inaction process 0, proc x = P for the term fix.P, and ’ a:k for a.k. Moreover, we use 
the notation a(obs):A' which may be interpreted as a :k in this section. Actions obs come into play in the 
next section where they serve as “probes” for verification purposes. 


i:i 





For modeling the SCSI-2 bus-protocol we have imposed som J assumptions. First, we restrict ourselves to 
modeling two LUNs, called LUNO and LUN1, having id 0 and id 1, respectively. This is sufficient for dealing with 
the aspects of the SCSI-2 bus-protocol we are interested in. Not ' that even in the situation of two LUNs there 
exists competition for the bus. Moreover, we abstract from timeout, procedures and from the contents of most 
messages, commands, and data. These abstractions are justified since they do not affect the conceptual parts 
of the bus protocol’s behavior. For example, the sole purpose of a timeout is to determine if a target is alive 
or not. The contents of information sent over the bus, except from messages representing the completion of 
some transmission, are only relevant for the device-specific part of LUNs but not for the bus protocol itself. 
Additionally, the bus signals BSY (busy) and SEL (select) are wv'ed-or signals in reality. However, we do not 
need to model this “or” -behavior, since our model only deals with two LUNs, and just one LUN at a time can 
assert the BSY or SEL signal. Finally, all quantitative timing infc rmation occurring in the model is measured 
relative to a time unit of 5 ns, including arbitration delays (480 time units), bus clear delays (160 time units), 
bus settle delays (80 time units), deskew delays (9 time units), and cable skew delays (9 time units). 

The underlying structure of the bus protocol is explicitly reflected in our model. Each LUN connected 
to the bus is modeled as a separate parallel component containing models of the different bus phases as 
discussed in the previous section. The logical behavior of the bus protocol is implemented by bus signals. 
Each signal physically consists of a wire which we model as a separate process similar to a global Boolean 
variable. Note that signal delays are not modeled in the wires but in the operations used for transmitting 
information over the SCSI bus. Since we abstract away the con ent of most information, we do not need to 
model each bit of the data bus. Hence, arbitration is modeled via a global variable which stores the highest 
id of all LUNs requesting access to the bus. Accordingly, our model, called SCSIBus, consists of the parallel 
composition of both LUNs. and the BusSignals, including the regular signals and the data path. Formally, 

proc SCSIBus = (LUNO | BusSignals I LUN1) \ Restriction 

where Restriction contains all actions that are internal to tie protocol, i.e., those concerned with set- 
ting/releasing signals, requesting signal status, and placing/reading information on/from the data bus. 

5.1. Modeling the Bus Signals and the Data Bus. Conceptually, each bus signal is modeled as a 
Boolean variable which is either true (signal on) or false (signal off). Thus, the processes representing the 
signals BSY (busy), SEL (select), C/D (command/ data), I/O ( input/output ), MSG (message), ATN (attention), 
REQ (request), and ACK (acknowledgment) are generically created by relabeling the actions of the process Off 
(cf. Table 5.1). Using the ports set and rel one can set or release the signal and, hereby, switch the state 
to On and Off, respectively. Actions 'off ('on) indicate that the signal is currently in state Off (On). Note 
that the atomicity of actions in process algebras guarantees that conflicts, arising by setting several signals 
simultaneously, are avoided. 

In the following, we abstract away the contents of most messages. Only the distinguished messages 
disconnect and complete are explicitly considered since they require to exit the information transfer phases 
and to switch to the initial state of the LUN. Accordingly, we n ay model the data bus as a variable which 
can store and read out information (actions placeXXX and readXXX, respectively). The labels obsXXX are 
used to record the events of placing and reading messages on the bus. 

For modeling arbitration we introduce the process Arbitrator which models a variable that stores the 
value* of the highest id of all LUNs which compete for the bus. The situation in which no LUN wants to access 
the bus is captured by a special “undefined” state. Accordingly, the process Arbitrator possesses three 
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Table 5.L 

Model of the bus signals, the data bus , and the arbitration variable. 


proc BusSignals = DataBus 

I Arbitrator 

I Off [setBSY/set , relBSY/rel , isBSY/on , noBSY/of f ] 
| Off [setSEL/set ,relSEL/rel , isSEL/on , noSEL/off ] 

I ... 


proc Off 
proc On 


’offrO.Off + set:0.0n + rel:0.0ff 
’on:0.0n + set:0.0n + rel:0.0ff 


proc DataBus - DataBus ’ [> release (obsrelease) : 0 . DataBus 

proc DataBus’ = placemsgln (obsplace) : 0 . ’ readmsgln(obsread) : 0 . DataBus ’ 

+ placemsgOut (obsplace) :0. * readmsgOut (obsread) :0. DataBus’ 

+ placef ini shed (obsplace) : 0 . * re adf ini shed (obsread) : 0 . DataBus 7 
+ placedata(obsplace) :0. 5 readdata(obsread) :0. DataBus’ 

+ placecmd (obsplace) :0. ’ readcmd(obsread) :0. DataBus’ 

+ placestatus (obsplace) :0. ’ readstatus (obsread) :0. DataBus’ 

+ sentdisconnect (obssentdiscon) :0. ’readdisconnect (obsreaddiscon) :0. DataBus’ 
+ sentcomplete (obssentcomplete) :0. ’ readcomplete (obsreadcomplete) :0. DataBus’ 
+ writetargetO(obswritetO) :0. ’readtargetO(obsreadtO) :0. DataBus’ 

+ writetargetl (obswritetl) :0. ’readtargetl (obsreadtl) :0. DataBus’ 


proc Arbitrator - 
proc Undef = 
proc IdO = 
proc Idl = 


Undef [> clear : 0 . Arbitrator 
setidO:O.IdO + setidl:0.1dl + 
setidO:O.IdO + setidl:0.1dl + 
setidO:O.Idl + setidl:0.1dl + 


’noid0:0 .Undef + 
’isidO:O.IdO + 
’noidO:O.Idl + 


’noidl : 0 .Undef 
’noidl : 0 . IdO 
’ isidl : 0. Idl 


states as shown in Table 5.1, called Undef, IdO, and Idl, respectively. One may set the variable to state 
IdA: via port setidA* whenever the current state of Arbitrator is either Undef or Idji for j < A*. In other 
words, the variable always maintains its maximum value. However, it may be reset to its initial state Undef 
via port clear. In reality, the LUNs that want to compete for access broadcast their id on the data bus. 
Before acquiring the bus the LUN has to check if a higher id than its own is asserted. Modeling this technique 
one-to-one requires to implement the n-bit. wide data bus, where n corresponds to the maximal number of 
LUNs attached to the bus. This induces a complexity of 2" states, compared to n + 1 states by our technique. 

5.2. Modeling the Bus Phases for Connection Establishment. Let us focus on modeling the 
logical characteristics of the SCSI-2 bus-protocol (see Section 6 of [1]) for the initial bus phases handling 
connection establishment. In the Bus Free phase, no device is in possession of the bus; hence it is available 
for arbitration. The SCSI bus is defined to be in the Bus Free phase as soon as the signals SEL and BSY 
have been off for at least a bus settle delay. Accordingly, the process BusFreeO of LUNO detects the Bus Free 
phase when the actions isBSY and isSEL are absent for 80 time units (cf. Table 5.2). If one of the actions 
isBSY or isSEL is observed, the bus is occupied and LUNO returns to the start state. Otherwise, if the bus 
is free, the logical unit asserts the BSY signal (action ’setBSY) and sets the arbitration variable accordingly 
(action ’setidO), before it performs an arbitration delay and switches to the Arbitration phase 1 . 


l r> 




Table 5.2 

Bus Free, Arbitration, and Selei tion phase. 


proc LUNO 


= t (startO) : 9 . ’rellO : 0 . (BusFreeO + GetS electedO) + t:9.LUN0 

+ t (startO) :9. J setIO (obs_setIO) :0. (BusFreeO + GetSelectedO) + GetSelectedO 


proc BusFreeO = t (busf ree) : 80 . 5 setBSY (obs_setBSY) : 80. ’ setidO :0 . ArbitrateO 
+ isSEL (obs_isSEL) :O.LUNO + isBSY (obs_isBSY) rO.LUNO 
proc ArbitrateO = noidl (obs_winner_idO) : 480 . J setSEL (obs.setSEL) : 0 . SelectionO 

+ isidl (obs_winner_idl) : 480. LUNO 


proc SelectionO = ’ writetarget 1 :240. ’setATN^. ’relBSY (obs_relBSY) : 18.isBSY:80. 

’relSEKobs.relSEL) : 9 . t (begin_ITP) :0. (noIO: 0 . InitiatorO + isIO : 0 . TargetO) 
proc GetSelectedO = isATN:0.( isSEL : 0 . noBSY : 0 . readtargetO : 0 . * setBSY(obs_setBSY) : 0 . 'release : 0 . 

' clear :0.noSEL:0. (noI0:0. TargetO + isIO : 0 . InitiatorO) 

+ noSEL : 0 . LUNO ) 


proc InitiatorO 
proc HO 


proc TargetO 


= HO [> noBSY (obs.noBSY) :0. ’relATN: 0 .LUNO 
= t :9. 1 setATN(obs_setATN) :9.H0 

+ isREQ(obs_isREQ) :9. ( noMSG:0.( noCD : 0. (noIO :0 .DataOutIO + isIO : 0 . DatalnlO) 

+ isCD:C. (noIO :0 .CommandIO + isIO : 0 . StatusIO) ) 
+ isMSG : 0 . isCD : 0. ( 10 IO : O.MsgOutIO + isIO : 0 . MsglnlO) ) 

* (noIO : 0 . MsgOutTO + isIO : 0. } relATN:0. Msg tnTO) [> noBSY : 0 . ’relATN : 0 . LUNO 


Iii the Arbitration phase a LUN, which competes for access to the bus, looks up if it has won the 
arbitration by checking whether no device having a higher id has asserted its id on the bus. Before the 
winner proceeds to the Selection phase, it asserts the SEL rignal. All LUNs that have lost arbitration 
return to their initial states. The models of the Arbitration j base as well as of the Selection phase are 
presented in Table 5.2 for LUNO; the model of LUN1 is similar although the behaviors of LUNO and LUN1 
are not completely symmetric in the Arbitration phase. The asymmetries arise from the different priority 
values assigned to both devices. In the Arbitration phase, LUNO has to check if LUN1 has set its id on the 
bus. If so, LUNO has lost arbitration. However, LUN1 does not need to check if LUNO has set its id on the bus 
since LUNO is assigned to the lower SCSI id. Moreover, since we are assuming only two devices, there is no 
necessity for LUN1 to check any SCSI id asserted on the bus. 

The Selection phase is distinguished from the Reselect'i on phase by the de-asserted I/O signal. In 
the Selection phase the winning LUN, the initiator, tries to connect to the desired destination, the target, 
which is the logical unit LUN1 in the case of SelectionO. Therefore, it writes the id of the target on the 
data bus (action ’ writetargetl) and asserts the ATN signal to brce each device to check if it is the desired 
target. The initiator then waits for some deskew delays and releases the BSY signal. After a short delay 
it looks for a response from the target. If the BSY signal is asserted, the target has responded and taken 
over control of the bus protocol. In this case the initiator releases the SEL signal (action 'relSEL) and then 
behaves as InitiatorO, or as TargetO in case of the Reselection phase. If the ATN signal is asserted, each 
device verifies if the bus protocol is in the Selection or Reselection phase (cf. process GetSelectedO). 
Therefore, it checks the SEL signal (action isSEL) and waits unti the initiator releases the BSY signal (action 
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Table 5.3 
Command phase.. 


proc CommandIO = isREQ:0.( ’ placecmd : 0 . * set ACK : 9 . noREQ : 0 . 'release : 0. ’relACK : 0 . CommandlO 

+ ’ placet inished:0 . ’ setACK : 9 . noREQ : 0 . ’release:0. ’relACK:O.HO ) 
proc CommandTO = J relMSG:0. ’setCD:0. ''rel 10 (begin. Command) :0.t (begin.Phase) : 0 . CommandTO ’ 
proc CommandTO’ = * setREQ : 0 . isACK(obs_isACK) : 0 . 

( readcmd:0. ’ relREQ (obs_relHEQ) : 0 . noACK : 0 . CommandTO ’ 

+ readf inished:0. ’relREQ (obs_relREQ) :0. noACK :0.t(end_Phase) :0. 
(MsgOutTO + MsglnTO + DataOutTO + DatalnTO + StatusTO) ) 


’relBSY). Then it asserts the BSY signal (action ’setBSY), releases the data bus (action ’release), and 
re-initializes the arbitration variable (action ’clear) before behaving as TargetO or InitiatorO. 

After the Arbitration and (Re) Select ion phases the target the master of the bus protocol proceeds 
to the MessageOut or Messageln phase depending on whether it has been selected as target or whether it 
wants to re-connect to a former initiator, as indicated by the status of the 10 signal (cf. Table 5.2). The 
initiator - the slave of the bus protocol - continuously checks the status of the signals MSG, C/D, and I/O in 
order to determine the next phase selected by the target. Moreover, it may indicate its wish to proceed to the 
MessageOut phase by asserting the ATN signal (action ’ setATN). Finally, upon detection of the de-assertion 
of the BSY signal (action noBSY) caused by the target’s expected or unexpected release of the SCSI bus, the 
initiator de-asserts the ATN signal (action ’relATN) and returns to its initial state. 

5.3. Modeling the Information Transfer Phases. The processes TargetO and InitiatorO initiate 
the Information Transfer Phases (ITP) which subsume the Command, Data, Status, and Message phases. 
In those phases, information is exchanged between the initiator and the target. The Data and the Message 
phases are further divided in Dataln. DataOut, Messageln, and MessageOut phases according to the direction 
of information flow. The “In' 7 phases are concerned with transferring information from the target to the 
initiator whereas the U 0ut 77 phases are concerned with transferring information in the other direction. The 
information transfer takes place using a byte-wise handshake mechanism. In the following, we only explain 
the Command phase and its modeling (cf. Table 5.3). The complete model can he found in the appendix. 

The Command phase is entered if the target intends to request a command from the initiator. The target 
indicates the Command phase by de-asserting the MSG and I/O signals and asserting the C/D signal. After 
waiting for a deskew delay the target requests a command from the initiator by setting the REQ signal 
(action ’setREQ). In the meantime, the initiator detects that the target has switched to the Command phase 
by observing the status of the MSG, C/D, and I/O signals (cf. process HO in Table 5.2). Upon detection of 
the asserted REQ signal (action isREQ) the initiator places the first byte of the command oil the data bus 
(action ’placecmd), waits for a deskew delay, and asserts the ACK signal (action ’setACK). After the target 
detects the asserted ACK signal (action isACK) it reads the command from the data bus (action readcmd) and 
releases the REQ signal (action ’relREQ). At this point the handshake procedure for receiving (the first byte 
of) the command is completed. Now, the initiator may release the data bus (action ’release) and the ACK 
signal (action ’relACK). If a command is longer than one byte, the bus may remain in the Command phase, 
and the handshake mechanism may be repeated, until the message finished (action readf inished) has been 
transferred. Note that in the real-world protocol the length of a command is encoded in its first byte. 
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6. Verifying the Bus-Protocol. In this section we specify several safety and liveness properties, 
which our model is expected to satisfy, in the modal p-calcuus [24]. and verify them by employing the 
local model- checker [4] integrated in the CWB-NC. The one-to-oi e correspondence between CCS dp and CCS* 
semantics ensures that the properties, once being verified for ihe CCS dp model, hold for the CCS* model, 
too. In order to construct the state spaces of our model we lave run the CWB-NC on a SUN SPARC 20 
workstation. Whereas the model has 62400 states and 65 624 transitions according to CCS* semantics, it 
possesses only 8 391 states and 14 356 transitions with respect to CCS dp semantics. This drastic saving in 
state space emphasizes the utility of using dynamic priorities for implementing discrete real-time semantics. 

6.1. Properties of Interest. The following desired requ rements of the SCSI-2 bus-protocol are ex- 
tracted from the official ANSI document [1]. 

• Property 1: All bus phases are always reachable. This mplies that the model is free of deadlocks. 

• Property 2: Whenever a bus phase is entered, it is eventually exited. 

• Property 3: The signals REQ and ACK do not change between two information transfer phases. 

• Property 4 : The signal BSY is on and the signal SEL is off during the information transfer phases. 

• Property 5: Whenever a device sends a message, it is eventually received by the intended LUN. 

• Property 6: Whenever the ATN signal is set, the bus eventually enters the MessageOut phase. 

Note that the properties describe the functional behavior of the SCSI-2 bus-protocol rather than explicit real- 
time issues concerned with hard deadlines or response times . Therefore, we may abstract from delay /priority 
values in //-calculus formulas by replacing the operators (a:k) introduced in Section 3.2 by (a). Semantically, 
we define {(a)$} rt (cr) =<| f {P € V\3 P'.P" 6 V.P >-4 * P" ^ P' and P' G as well as 

{(«>*}dp(ff) =df {PeP \ BP' e V,k e KP ^ P' and P' G {4>} dp (/r)}. An adaptation of Theorem 3.4 
can easily be shown to hold for the modified temporal logics, too. Therefore, we can verify our properties 
of the SCSI-2 bus-protocol within the more compact CCS dp mxlel and conclude that these are also valid 
for the CCS* model. For notational convenience we introduce tie following met a- formulas, where a,fi € A, 
I C 4, and $ £ T. 

between(a, ft, $) = d r vX\a){vY.{<b A [,tf]A r A [-/>|T)) A [-a] A' 

fair- follows (a, ft, L, *) = df vX.[a](vY.nZ.($ A [0\X A L]Y A [-{{ft} U L))Z)) A [-a]X 

The meta-formula between(a, 0, 4>) states the following. On every path it is always the case that after a, the 
formula 4> is true at every state until ft is seen. Note that ft nee 1 not occur after a since ft only releases the 
requirement that 4> be true at every state. The meta-formula fiir-follows (a, ft, L, <f>) encodes that on even- 
path it is always the case that after a is seen, either is always true until ft is seen or 4> is always true, and 
an action from I occurs infinitely often on the path. Note that on paths on which actions from L do occur 
infinitely often, action ft has to appear eventually. Without this notion of fairness, which we use to encode, 
e.g., that messages transferred over the SCSI bus have finite length, some properties cannot be validated. 

Unfortunately, CCS dp and CCS* turn every visible action a or a into the internal action r when commu- 
nicating on port a. However, in order to prove any interesting p operty except deadlock, we have to observe 
certain actions of the system, e.g., those modeling the assertion and de-assertion of bus signals. Therefore, 
we attach to some actions a (either the input or the output ac:ion belonging to channel a) and the inter- 
nal action r a visible action or probe o, thus leading to a complex action a{ o), a(o), or r(o), respectively. 
Whenever a transition labeled by n(o) (o(o)) synchronizes with a transition labeled by a (a), the resulting 
r is annotated by o. i.e., r(o) is produced. Hence, a communic it ion on port a is immediately observed by 
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probe o, as intended. Our model includes (i) the probes begin_Phase and endThase marking the beginning 
and end of each information transfer phase, respectively, (ii) the probes begin_ph signaling the beginning 
of some particular phase ph, (iii) the probes obs.place and obsjread observing the writing and reading of 
information on/from the data bus, respectively, and (iv) the probes obs.setSIG and obs jrelSIG indicating 
the assertion and de-assertion of some signal SIG. respectively. Now, the above properties can be formalized. 

• Property 1: This property ensures that the model does not possess undesired liveloeks. i.e., for each 
bus phase ph we consider the formula [— ]°° { — )*((begin_ph)££). 

• Property 2: We have to check for every path that probe begin_Phase is eventually followed by probe 
end_Phase before another beginThase is observed. 

/Mr-/e///ms(begin_Phase, end^hase. {obs.setATN}, {— )tt) . 

The fairness constraint ensures that the initiator does not ignore the target’s wish to enter a new 
phase forever by continuously asserting the ATN signal. 

• Property 3: We encode that on all paths the probes obs.setREQ, obsjrelREQ, obs.setACK, and 
obsjrelACK do not occur between end_Phase and begin_Phase. 

between(e nd_Phase, begin Thase, [obs_setREQ. obs jrelREQ, obs.setACK, obs_relACK]jff) . 

• Property 4 : This formalization can be done along the lines of the one of Property 3. 

&e£iceen(begin_Phase, endJ^hase, [obs_setBSY, obsjrelBSY, obs_setSEL. obs_relSEL]jff) . 

• Property 5: Here, one has to encode that obs .place is always followed by obs .read. The incorpo- 
rated fairness constraint corresponds to the one in Property 2. 

fair-follows(obs -place, obs_read. {obs_setATN}, [obs.placejjff) . 

• Property 6: We have to formalize that every probe obs .set ATN is always eventually followed by a 
probe begin JlsgOut. Note that this property does not require any fairness assumption. 

fair-follows(obssetATN, beginJlsgOut, 0. [obs_setATN]j(f) . 

6.2. Verification Results. We were able to validate each property in our model in no more than two 
minutes when running the CWB-NC on a SUN SPARC 1 20 workstation. The model checker we used is a local 
model checker for a fragment of the modal //-calculus [4]. Applying a local model checker in contrast to a 
global one remarkably speeds-up the task of verification during the initial modeling attempts. In fact, the 
modeling of the SCSI-2 bus-protocol was done in several stages. At early modeling stages the model checker 
invalidated most properties immediately. The encountered errors ranged from missed fairness constraints to 
wrong timing information and were identified by examining the diagnostic information - displayed in form 
of failure traces - as provided by the model checker. During the process of verification, we also realized that 
the timing constraints of the bus protocol are not only imposed for avoiding wire glitches but also in order to 
implement necessary synchronization constraints during the initial bus phases. Without these constraints, 
two LUNs may gain access to the bus for arbitration which leads to a deadlock. This emphasizes the necessity 
of dealing with real-time constraints in reactive systems, even if explicit real-time behavior is not of interest . 
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7. Discussion and Related Work, One may wonder why CCS dp semantics does not consider actions 
with minimal delays or priority values as labels of transitions only. In particular, one can avoid the side 
condition of Rule (Act2) by allowing communication on different priority levels. The reason that we have 
not followed this approach is that it imposes an unsound abstraction for CCS rt semantics. As a simple 
example consider process P =<jf (u:l.fr:0.0 | b: 1.0 + c:2.0)\{b}. According to the modified CCS dp semantics, 
P can engage in an a-transition with priority 1 to process (b : 0.0 | b : 0.0 + c : 1.0)\{6}. Hence, after an 
a-transition a r-transition is always pre-empted since a communication on b with priority 0 is pending. 
According to the original CCS dp semantics, however, P may also engage in an a-transition with priority 2 to 
(b: 0.0 | 6:0.0 + c:0.0)\{6}. Thus, there exists a path starting with an a-transition, after which a c may be 
observed. Cutting off this path changes the behavior of P, whence the modified CCS dp semantics is incorrect. 

Regarding related work, a formal relationship between a quantitative real-time process algebra and 
a process algebra with static priority, adapted from [11], is established by Jeffrey in [23]. Jeffrey also 
translates real-time to priority based on the idea of time stamping and presents a semantic correspondence 
based on bisimulation. In contrast to CCS rt semantics, a process modeled in Jeffrey’s framework may either 
immediately engage in an action or idle forever. However, this semantics does not reflect our intuition about 
the behavior of reactive systems, i.e., a process should wait until a desired communication partner becomes 
available instead of engaging in a “livelock.” It is only because of this design decision that Jeffrey does 
not need to choose a dynamic - priority framework. In [6] a variant of CCSR [7], referred to as CCSR92, 
is introduced. Since CCSR focuses on specifying and verifying concurrent real-time systems, an ability of 
capturing scheduling behavior is needed. Consequently, a no- ion of dynamic priority, such as occurs in 
priority- inheritance and earliest -deadline- first scheduling algorithms, is adopted for CCSR92. In [6] dynamic 
priorities are given as a function of t he history of the system unde • consideration. Accordingly, the operational 
semantics of CCSR 92 is re-defined to include historical context. 1 . The authors show that dynamic priorities 
do not always lead to a compositional semantics and give a sufficient condition that ensures compositionality. 

8. Conclusions and Future Work. We introduced the process algebra CCS dp with dynamic priority 
whose semantics corresponds one-to-one to the discrete quantity tive real-time semantics of CCS rt . Its utility 
stems from the fact CCS dp semantics yields significantly more co ripact models than CCS^ semantics without 
abstracting away any aspects of real-time. Thus, CCS dp provides a means for efficiently implementing real- 
time semantics. The compactness of models can be improved further if one is not interested in verifying 
properties involving quantitative time and in the semantics’ compositionality. In this case a CCS dp model 
may be minimized according to standard bisimulation after ignoring the priority values in the labels. We 
implemented CCS dp and CCS rt in the Concurrency Workbench cf North Carolina which we used to formally 
model and reason about the SCSI-2 bus-protocol. The size of our model is about an order of magnitude 
smaller when constructed with CCS dp instead of CCS rt semartics and can be handled easily within the 
Workbench. In addition, we specified several desired properties of the bus protocol in the modal /i- calculus 
and validated them by using model checking. Regarding futuie work, the SCSI-2 bus-protocol should be 
modeled in more detail and, thereby, enable the verification of additional interesting properties. 
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Appendix A. Complete Model of the Bus Protocol. 

proc SCSIBus * (LUN0 I LUN1 | BusSignals) \{ 


setBSY, relBSY , 

isBSY, noBSY, 

setSEL, relSEL, isSEL, noSEL, 

setCD, relCD, 

isCD, noCD, 

setIO, rellO, 

isIO, noIO, 

setMSG, relMSG, 

isMSG , noMSG, 

setATN, relATN , isATN, noATN, 

setREQ, relREQ, 

isREQ, noREQ, 

setACK, relACK, isACK, noACK, 

placemsgln. 

readmsgln, 

placemsgOut , 

readmsgOut , 

placecmd, 

readcmd, 

placef inished, readf inished. 

placedata, 

readdata , 

placest itus , 

readstatus , 

sentdisconnect , 

readdisconnect , 

sent com >lete , 

readcomplete , 

vritetargetO , 

readtargetO, 

writeta: *getl , 

readtargetl , 

release , 

setidO, 

setidl , 

noidO t 

noidl , 

isidO , 

isidl , 

clear 


} 


* LUNO 


proc LUNO = t (startO) : 9 . ’rellO : 0 . (BusFreeO + GetSelected(') 

+ t (startO) :9. ’ setIO (obs.setIO) :0. (BusFreeO + GetSelectedO) 
+ t: 9. LUNO + GetSelectedO 
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proc GetSelectedO = isATN:0.( isSEL : 0. noBSY : 0 . readtargetO : 0 . * setBSY (obs_setBSY) :0 . Release : 0 . 

’ clear :0.noSEL:0. (noIO : 0 . TargetO + isIO : 0 . InitiatorO) 

+ noSEL:0.LUN0 

) 


♦ BusFree Phase 

proc BusFreeO = t (bust ree) : 80 . * setBSY (obs_setBSY) : 80 . * setidO : 0 . ArbitrateO 

+ isSEL (obs_isSEL) rO.LUNO + isBSY (obs_isBSY) : 0 . LUNO 

* Arbitration Phase 

proc ArbitrateO = noidl (obs_winner_idO) :480. 1 setSEL (obs_setSEL) :O.SelectionO 
+ isidl (obs_winner_idl) :480.LUN0 


* Selection Phase 

proc SelectionO = * writetargetl : 240 . * setATN : 9 . ’ relBSY(obs_relBSY) : 18 . isBSY : 80 . 

* relSEL (obs_relSEL) : 9 . t (begin_ITP) :0. (noIO : 0 . InitiatorO + isIO : 0 . TargetO) 


* Initiator 

proc InitiatorO = HO [> noBSY (obs_noBSY) : 0 . ’ relATN : 0 . LUNO 
proc HO = t : 9 . ’ setATN (obs_setATN) : 9 . HO 

+ isREQ (obs_isREQ) ; 9 . ( noMSG:0.( noCD:0. (noI0:0.Data0utI0 + isIO : 0 . DatalnlO) 

+ isCD:0. (noIO : 0 . CommandIO + isIO : 0 . StatusIO) 

) 

+ isMSG:0. isCD:0. (noIO : O.MsgOutIO + isIO : 0 . MsglnlO) 

) 


* Target 

proc TargetO = (noIO : 0 . MsgOutTO + isIO : 0 . 9 relATN : 0 . MsglnTO) [> noBSY : 0 . ' relATN : 0 . LUNO 

* Msgln and HsgOut Phases 

proc MsglnlO = isREQ :0.( readmsgln : 0 . ’ setACK : 0 . noREQ : 0 . ’relACK : 0. MsglnlO 

+ readf inished : 0 . ’ set ACK : 0 . noREQ : 0 . 9 relACK : 0 . HO 
+ readcomplete : 0 . 1 set ACK : 0 . noREQ : 0 . * relACK : 0 . nil 
+ readdisconnect : 0 . * set ACK :0. noREQ :0. * relACK : 0. nil 
) 

proc MsglnTO = * setMSG : 0 . 1 setCD : 0 . ’ setIO (begin_MsgIn) : 0 . t (begin_Phase) : 0 . MsglnTO * 

proc MsglnTO’ = ’placemsgln : 0 . ' setREQ (obs_setREQ) : 9 . isACK (obs_isACK) : 0 . ’release : 0 . 

1 relREQ ( obs_relREQ) : 0 . noACK : 0 . MsglnTO ’ 

+ * placet inished : 0 . 9 setREQ (obs_setREQ) : 9 . isACK(obs_isACK) :0. 

’release :0. 1 relREQ (obs_relREQ) : 0 . noACK (end_Phase) :0. 

(MsgOutTO + DataOutTO + DatalnTO + CommandTO + StatusTO) 



+ * sent complete : 0 . 'setREQ: 9. isACK (obs_isACK) :0. Release :0. 7 relREQ (obs.relREQ) :0. 

noACK (end_Phase) : 0 . t (end_ITP) :0. 7 relBSY(cbs.relBSY) :0.nil 
+ 7 sentdisconnect : 0. 7 setREQ : 9 . isACK (obs.isACK) :0. 'release :0. 7 relREQ (obs.relREQ) :0. 
noACK (end.Phase) : 0 . t (end.ITP) :0. 7 relBSY(cbs.relBSY) :0.nil 


proc MsgOutIO 

proc MsgOutTO 
proc MsgOutTO 7 


isREQ : 0 . ( 'placemsgOut : 0 . 7 setACK : 9 . noREQ : G . 7 release:0. 7 relACK : 0 . MsgOutIO 

+ 'placet ini shed : 0 . 5 relATN : 9 . 7 setACK : 0 .noREQ :0 . 'release :0. 'relACK :0. HO 

) 

isATN:0. 'setMSGrO. 'setCDrO. 7 rellO (begin.M&gOut) : 0. t (begin.Phase) :0. MsgOutTO' 

' setREQ : 0 . isACK (obs.isACK) : 0 . 

( readmsgOut :0. 'relREQ (obs_relREQ) : 0 . noACK(obs.noACK) :0. MsgOutTO' 

+ readf inished : 0 . ' relREQ (obs_relREQ) :0.noACK:0. 

( t (end.Phase) :0. (MsglnTO + DataOutTO + DatalnTO + CommandTO + StatusTO) 

+ t :0. MsgOutTO 7 

) 


* Command Phase 


proc CommandIO = isREQ : 0 . ( ' placecmd : 0 . 7 setACK : 9 . noREQ : 0 . 'release : 0 . 7 relACK : 0 . CommandIO 

+ 7 placet inished:0. 7 set ACK : 9 . noREQ : 0 . 'release:0. 7 relACK :0. HO 

) 

proc CommandTO = 'relMSG:0. 'set CD: 0. 'relIO(begin_Command) : ). t (begin.Phase) :0. CommandTO 7 
proc CommandTO' = 7 setREQ : 0. isACK (obs. isACK) :0 . 

( readcmd : 0 . 7 relREQ (obs.relREQ) : 0 . noACK : 0 . CommandTO ' 

+ readf inished:0. ' relREQ (obs.relREQ) : 0.noACK:0.t (end.Phase) :0. 
(MsgOutTO + MsglnTO + DataOutTO + DatalnTO + StatusTO) 

) 


* Dataln and DataOut Phases 


proc DatalnlO = isREQ :0.( readdata:0. 7 setACK : 0 . noREQ : 0 . 're LACK: 0. DatalnlO 

+ readf inished :0. 7 setACK : 0 . noREQ : 0 . 7 relACK:0.H0 

) 

proc DatalnTO = 7 relMSG : 0 . 'relCD : 0 . 7 setIO (begin.Dataln) : 0 (begin.Phase) : 0 . DatalnTO 7 
proc DatalnTO 7 = 7 placedata : 0 . 7 setREQ : 9 . isACK (obs. isACK) : ). 'release : 0 . 7 relREQ (obs.relREQ) : 0 . 

noACK : 0 . DatalnTO ' 

+ 'placet inished : 0 . ' setREQ : 9 . isACK (obs.isA }K) : 0 . 'released. 7 relREQ (obs.relREQ) :0. 
noACK (end.Phase) :0 . (MsgOutTO + MsglnTO + StatusTO) 


proc DataOutIO = isREQ:0.( 7 placedata :0. 'setACK : 9. noREQ :0. 7 release :0. 7 relACK :0. DataOut 10 

+ 'placet inished:0. 7 setACK:9.noRE}:0. 7 release:0. 7 relACK:O.HO 

) 

proc DataOutTO = 7 relMSGrO. 7 relCD:0. 'rellO(begin.DataOut) : ). t (begin.Phase) :0. DataOutTO' 
proc DataOutTO' = 7 setREQ : 0 . isACK (obs.isACK) : 0 . 

( readdata : 0 . 7 relREQ (obs.relREQ) : 0 . noACK : ) . 

DataOutTO 7 
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+ readf inished:0. ’ relREQ (obs.relREQ) : 0 .noACK(end_Phase) :0. 
(MsgOutTO + MsglnTO + StatusTO) 

) 


* Status Phase 

proc StatusIO = readstatus : 0 . 9 setACK : 0 .noREQ : 0 . 1 relACK : 0 . HO 

proc StatusTO = 5 relMSG : 0 . * setCD :0 . J setIO (begin_Status) : 0 . t (begin_Phase) : 0 . ’placestatus : 0 . 

’setREQ:!?. isACK (obs_isACK) :0. ’releaserO. ’ relREQ (obs_relREQ) : 0 . noACK (end.Phase) :0. 
(MsgOutTO + MsglnTO) 


* LUN1 


proc LUN1 = t (start 1) : 9 . ’rellO : 0 . (BusFreel + GetSelectedl) 

+ t (startl) :9. } setIO (obs.set 10) :0. (BusFreel + GetSelectedl) 

+ t:9.LUNl + GetSelectedl 

proc GetSelectedl = isATN:0.( isSEL : 0 . noBSY : 0 . readtargetl : 0 . 1 setBSY(obs_setBSY) : 0 . J release : 0 . 

* clear : 0 .noSEL : 0 . (noIO : 0 . Targetl + isIO :0 . Initiatorl) 

+ noSEL :0.LUN1 

) 


* BusFree Phase 

proc BusFreel = t (bust ree) : 80 . > setBSY(obs__setBSY) : 80 . * setidl : 0 . Arbitratel 
+ isSEL (obs_isSEL) :0.LUN1 + isBSY (obs.isBSY) : 0 . LUN1 

* Arbitration Phase 

proc Arbitratel = noSEL: 80 . } setSEL(obs_setSEL) : 0 . Selectionl + isSEL : 80 . LUN1 

* Selection Phase 

proc Selectionl = * writetargetO : 240 . * setATN : 9 . ^elBSYCobs^relBSY) : 18. isBSY: 80 . 

’ relSEL(obs_relSEL) : 9 . t (begin_ITP) :0. (noIO : 0. Initiatorl + isIO : 0 . Target 1) 

* Initiator 

proc Initiatorl = HI [> noBSY (obs_noBSYl) :0. ’ relATN : 0 . LUN1 
proc HI = t:9. } setATN(obs.setATN) :9.H1 

+ isREQ (obs.isREQl) : 9. ( noMSG:0.( noCD : 0 . (noIO : 0 . DataOutll + isIO : 0 . Datalnll) 

+ isCD : 0 . (noIO : 0 . Commandll + isIO : 0 . Statusll) 

) 

+ isMSG : 0 . isCD : 0 . (noIO : 0 . MsgOutll + isIO : 0 . Msglnll) 

) 



* Target 

proc Target 1 = (noIO : 0 . MsgOutTl + isIO : 0 . ’ relATN : 0 . MsglnTl ) [> noBSY : 0 . ’ relATN : 0 . LUN1 

* Msgln and MsgOut Phases 

proc Msglnll = isREQ:0.( readmsgln:0. ’ set ACK :0. noREQ :0. ’relACK : 0. Msglnll 

+ readf inished: 0. ’ setACK : 0 .noREQ :C . ’relACK:O.Hl 
+ readcomplete :0. * setACK :0. noREQ: C. ’relACK:0.nil 
+ readdisconnect :0 . 1 setACK : 0 .noREQ : 0 . ’relACK : O.nil 
) 

proc MsglnTl = * setMSG : 0 . ’ setCD : 0 . * setIO (begin_MsgIn) : 0. t (begin.Phase) :0 . MsglnTl ’ 
proc MsglnTl* = ’placemsgln : 0 . ’ setREQ (obs.setREQ) : 9 . isACK (obs.isACK) :0. ’release:0. 

* relREQ (obs.relREQ) : 0 . noACK : 0 . MsglnTl * 

+ ’placef inished: 0. ’ setREQ (obs.setREQ) : 9 . isACK (obs.isACK) :0. ’release :0. 

’relREQ (obs.relREQ) : 0 . noACK (end_Phase) :0. 

(MsgOutTl + DataOutTl + DatalnTl + CommandTl + StatusTl) 

+ ’ sent complete : 0 . ’ setREQ : 9 . isACK (obs.isACK) : 0. ’release : 0 . ’relREQ (obs.relREQ) : 0 . 

noACK (end.Phase) : 0 . t (end.ITP) :0. ’relBSY(cbs.relBSY) :0.nil 
+ ’ sentdis connect :0. ’ setREQ : 9 . isACK (obs.isACK) :0. ’release : 0 . relREQ (obs.relREQ) :0. 
noACK (end.Phase) : 0 . t (end.ITP) :0. ’ relBSY(obs.relBSY) :0.nil 

proc MsgOutll = isREQ : 0 . ( ’ placemsgOut : 0 . ’ setACK :9 .noREQ: 0. ’release:0. ’relACK: 0 .MsgOutll 

+ ’placef inished : 0 . ’relATN : 9 . ’ set ACK : 0 . noREQ : 0 . ’released. ’relACK :0. HI 

) 

proc MsgOutTl = isATN : 0 .’ setMSG : 0 setCD : 0 rellO (begin.MsgOut) :0 .t (begin.Phase) : 0 . MsgOutTl ’ 
proc MsgOutTl’ = ’ setREQ : 0 . isACK (obs.isACK) : 0 . 

( readmsgOut : 0 . ’ relREQ (obs.relREQ) :0. noACK (obs.noACK) :0. MsgOutTl ’ 

+ readf inished :0. ’ relREQ (obs.relREQ) :0.noACK:0. 

( t (end.Phase) : 0 . (MsglnTl + DataOutTl + DatalnTl + CommandTl + StatusTl) 

+ t : 0 . MsgOutTl ’ 

) 

) 

* Command Phase 

proc Commandl 1 = isREQ:0.( ’placecmd:0. ’set ACK: 9. noREQ :0. ’ release :0. ’ rel ACK : 0 . Command II 

+ ’placef inished:0. ’ setACK: 9. noRE}:0. ’release:0. ’relACK:O.Hl 

) 

proc CommandTl = * relMSG : 0 setCD : 0 . ’rellO (begin.Command) : ). t (begin.Phase) : 0 . CommandTl ’ 
proc CommandTl’ = ’ setREQ : 0. isACK (obs.isACK) : 0 . 

( readcmd : 0 . ’relREQ (obs.relREQ) : 0 .noACK : 0 . CommandTl ’ 

+ readf inished: 0. ’relREQ (obs.relREQ) : 0 .no \CK (end.Phase) :0. 

(MsgOutTl + MsglnTl + DataOutTl + DataliTl + StatusTl) 

) 


26 



* Dataln and DataOut Phases 

proc Datalnll = isREQ:0.( readdata:0. 7 setACK : 0 . noREQ : 0 . ’relACK : 0 .Datalnll 

+ readf inished : 0 . 7 setACK : 0 . noREQ : 0 . 7 relACK :0. HI 

) 

proc DatalnTl = 7 relMSG : 0 . * relCD : 0. 7 setIO (begin_DataIn) : 0 . t (begin_Phase) : 0 . DatalnTl 7 
proc DatalnTl 7 = 7 placedata : 0 . 7 setREQ : 9 . isACK (obs_isACK) :0 . 'release : 0. 7 relREQ (obs_relREQ) : 0 . 

noACK : 0 . DatalnTl 7 

+ 'placet inished:0. 7 setREQ : 9 . isACK (obs_isACK) :0. 7 release:0. 7 relREQ (obs.relREQ) :0. 
noACK (end_Phase) : 0 . (MsgOutTl + MsglnTl + StatusTl) 

proc DataOutll = isREQ:0.( 'placedata : 0 . 7 setACK : 9 . noREQ : 0 . } release:0. 7 relACK : 0 . DataOutll 

+ 'placet inished : 0 . 7 set ACK : 9 . noREQ : 0 . 'release:0. 7 relACK:O.Hl 

) 

proc DataOutTl = 'relMSG : 0 . 7 relCD : 0 . 7 rellO (begin_Data0ut) : 0 . t (begin_Phase) : 0 . DataOutTl 7 
proc DataOutTl 7 = 7 setREQ : 0 . isACK (obs_isACK) : 0 . 

( readdata:0. 7 relREQ (obs_relREQ) :0.noACK:0. 

DataOutTl ' 

+ readf inished : 0 . 7 relREQ(obs_relREQ) : 0 .noACK (end_Phase) :0. 

(MsgOutTl + MsglnTl + StatusTl) 

) 

* Status Phase 

proc Statusll = readstatus :0. 7 set ACK :0. noREQ :0. 'relACK: 0.H1 

proc StatusTl = 7 relMSG:0. 7 setCD:0. 7 setIO (begin.Status) : 0 . t (begin_Phase) :0. 7 placestatus :0. 

7 setREQ: 9. isACK (obs.isACK) :0. 'release :0. ' relREQ (obs.relREQ) : 0 . noACK (end_Phase) :0. 
(MsgOutTl + MsglnTl) 


♦ Bus Signals, Data Bus, and Arbitration Variable 


proc BusSignals = DataBus 

I Arbitrator 

I Off [setBSY/set,relBSY/rel,isBSY/on,noBSY/off] 
I Off [setSEL/set ,relSEL/rel , isSEL/on ,noSEL/of f ] 
! Off [setCD /set, relCD /rel.isCD /on,noCD /off] 
! Off [setIO /set,relI0 /rel,isI0 /on,noI0 /off] 
I Off [setMSG/set , relMSG/rel , isMSG/on , noMSG/of f ] 
I Off [set ATN/set , relATN/rel , isATN/on , noATN/of f ] 
I Off [setREQ/set ,relREQ/rel , isREQ/on ,noREQ/of f] 
I Off [setACK/set ,relACK/rel , isACK/on ,noACK/of f] 

proc Off = 7 off:0.0ff + set:0.0n + rel:0.0ff 

proc On = 7 on:0.0n + set:0.0n + rel:0.0ff 
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proc DataBus * DataBus’ [> release (obsrelease) : 0 . DataBus 

proc DataBus’ = placerasgln(obsplace) :0. ’readmsgIn(obsread > :0. DataBus’ 

+ placemsgOut (obsplace) : 0 . ’readmsgOut (obsre td) : 0 .DataBus ’ 

+ placet inished(obsplace) :0. ’ readf inished(o bsread) :0. DataBus’ 

+ placedata(obsplace) : 0 . ’readdata(obsread) : ). DataBus’ 

+ placecmd (obsplace) :0. ’readcmd(obsread) :0. DataBus’ 

+ placestatus (obsplace) :0. ’readstatus (obsread) :0. DataBus’ 

+ sentdisconnect (obssentdiscon) : 0 . ’ readdisconnect (obsreaddiscon) : 0 . DataBus 5 
+ sentcomplete(obssentcomplete) :0. ’ readcomplete (obsreadcomplete) :0. DataBus’ 
+ writetargetO(obswritetO) :0. ’ readtargetO (obsreadtO) :0. DataBus’ 

+ writetarget 1 (obswritetl) :0. ’readtargetl (obsreadt 1) :0. DataBus’ 

Undef [> clear : 0 . Arbitrator 

setidO:O.IdO + setidl:0.1dl + ’noidO :0 .Un lef + ’noidl : 0 . Undef 

setidO:O.IdO + setidl:O.Idl + ’isidO:O.IdO + ’noidl:0.1d0 

setidO:O.Idl + setidl:0.1dl + ’noid0:0.1dl + ’isidl:0.1dl 


proc Arbitrator = 
proc Undef = 
proc IdO = 
proc Idl = 
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